About the many CVE in sonar-plugin-api dependencies

Hi, we have a quite strict security policy and libraries with a high rating CVSS are just automatically removed from our corporate mirrors.

We would like to create some custom rules for Sonarqube though, is there a plan to upgrade those sonar-plugin-api dependencies affected by vulnerabilities (some rating 10) ?

Vulnerabilities from dependencies:
CVE-2022-23221
CVE-2021-44832
CVE-2021-42550
CVE-2021-42392
CVE-2021-34428
CVE-2021-22569
CVE-2020-27218
CVE-2019-10247
CVE-2019-10241
CVE-2018-12545
CVE-2018-12536
CVE-2017-7656

source : https://mvnrepository.com/artifact/org.sonarsource.sonarqube/sonar-plugin-api/8.9.6.50800

1 Like

Well, I may have misread the mvnrepository page, it’s only managed dependencies, not transitive dependencies.

Hi,

You’re looking at a report for a non-current version of the LTS. SonarQube 8.9.6 was released in late December, and 8.9.7 is imminent.

SonarQube only has a test dependency on Log4J and that dependency is updated to the latest fix versions in 8.9.6 LTS and in 9.3.

You may find this thread helpful.

 
Ann

Hi Ann, here is my link up there :

It’s the api version for 8.9.6 if I’m not wrong, and it’s the latest one.

Hi,

Sorry, I mis-read your link initially; my eyes swapped the ‘5’ and the ‘6’. You’re right. That was the most recent at the time you posted it.

We did just release 8.9.7 today, but it doesn’t address those CVEs.

These are about the H2 DB, which is embedded only for evaluation purposes. We’re very clear that it should not be used in production. I think we’ll probably upgrade the embedded H2 at some point, but there’s no rush.

This is about upgrading to Log4J 2.17.1. Again - and to be very clear about this - our security researchers didn’t find any way of exploiting the CVEs in previous point releases of the LTS. We have no current plans to upgrade the LTS for this.

For the rest, I don’t have an immediate answer, but I’m not aware of immediate plans to address them.

 
Ann

Ok, thank you Ann.